Apply the New Microsoft Updates Immediately

This site may earn affiliate commissions from the links on this page. Terms of use.

The stars of yesterday’s security bulletins from Microsoft were a couple of flaws in Internet Explorer 7 (not earlier versions). These were rated critical so it’s obvious you have to take them seriously, but in fact it’s more serious than that.

A few months ago Microsoft started including an “Exploitability Index” value to show how easy it should be to construct a successful attack using the vulnerability they were disclosing. In many cases, a vulnerability may be critical because the consequences of it being exploited are serious, but in fact it is not so easy to exploit.

Monday’s Internet Explorer vulnerabilities were give an Exploitability Index value of 1, which translates to “Consistent exploit code likely.” Microsoft adds the note “Consistent exploit code can be crafted easily.” See the monthly security bulletin summary and click on Exploitability Index for all this. For some reason, Microsoft does not include these Exploitability Index values in the individual security bulletins, such as the one for Internet Explorer yesterday.

What this means is that you can expect, or at least you should assume, that attack code to exploit this vulnerability will be on the Internet very soon. It will be pushed through all the usual channels, some of which are hard to avoid, such as ad banners.

Yesterday’s SQL Server vulnerability also received an Exploitability Index value of 1 and, in fact, according to Microsoft “Post-authentication, functional exploit code has been published.” This means that a user who can authenticate on the server can exploit the flaw to take control. It’s just a matter of time before there is plug-in code to exploit it through a SQL injection vulnerability.